Security fixes are provided for the current stable version of this PHP API client only. Any older version is not supported and needs to be updated first before reporting security issues.
If you've found a security vulnerability in Zammad, please report the vulnerability exclusively via email to security@zammad.com.
Please do not combine several independent vulnerabilities, but send a separate mail for each of them instead.
To send us a secure message, please use our public key.
We will get back to you as soon as possible and inform you about the next steps. Accepted vulnerabilities will be disclosed via patch level release with accompanying security advisory.
- Potential security issues can be reported via security@zammad.com.
- We evaluate them and provide timely feedback to the reporter.
- There may be security releases created if needed, e.g. Zammad 6.3.1.
- We publish security advisories for every acknowledged issue via GitHub Security Advisories.
- After their publication, we request CVE identifiers to be assigned to the advisories.
Every first reporter of a vulnerability may be credited in the related security advisory.
Zammad does not offer financial compensation through a security bounty program.
Dependencies are managed via Composer. You can check for known security vulnerabilities in dependencies by running:
composer audit